Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Encryption required for Website storing personal details - GDPR

  • 19-11-2019 1:09pm
    #1
    Registered Users, Registered Users 2 Posts: 120 ✭✭


    Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

    The website is PHP / MySQL.

    We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?


Comments

  • Registered Users, Registered Users 2 Posts: 2,660 ✭✭✭Baz_


    Not to be too smart of an arse, but have you tried a search engine?


  • Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭daymobrew


    AFAIK GDPR has nothing to do with encryption but to ensure you have permission to store data. Obviously you should do your best to ensure that access to the data is limited to authorised persons e.g. good passwords and secure code.


  • Registered Users, Registered Users 2 Posts: 34,217 ✭✭✭✭listermint


    Data should be obfuscated in he dB. It should only be stored if it has a current applicable need between the business and the customer. Once that need has expired the data should be wiped in full.

    Access to the data should be limited and should be logged when it has been accessed or modified.

    There should be regular automated processes to remove any expired data. So your retention policies need to be robust.


  • Registered Users, Registered Users 2 Posts: 3,036 ✭✭✭BailMeOut


    GDPR has rules relating to data breach or if data is stolen so you need to protect the user data properly. Encrypting the at rest mysql data is a good start but all the other normal best practises on security should be adhered to. Is the server behind a firewall, are proper rules in place, are you fully security patched all the time, do you use MFA and good passwords,SSL, etc,. ..

    Is this website publiclly accessible?


  • Registered Users, Registered Users 2 Posts: 519 ✭✭✭CSSE09


    If you haven't already done it make sure the site is using ssl


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 10,912 ✭✭✭✭28064212


    GDPR isn't prescriptive (it can't be). It states:
    Personal data shall be:
    ...
    processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
    "Appropriate security" is going to be highly dependent on your specific situation.

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Registered Users, Registered Users 2 Posts: 81,220 ✭✭✭✭biko




  • Moderators, Business & Finance Moderators Posts: 10,613 Mod ✭✭✭✭Jim2007


    19233974 wrote: »
    Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

    The website is PHP / MySQL.

    We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?

    Well if you are hosting the website on a hosting service not under your control it really won't matter what encryption you use, it will be in breach of the rules in any case.


  • Registered Users, Registered Users 2 Posts: 141 ✭✭DeconSheridan


    19233974 wrote: »
    Hi wondering what is the industry standard Encryption required for a Website database that is storing personal user details - in order to comply with GDPR.

    The website is PHP / MySQL.

    We have got a research website developed using free lancer, very happy with the end result and it is a not for profit research site, but it will be storing personal details so wondering what the requirements are for this?
    At the high end your Business will be ISO/IEC 27001 compliant.
    At the low end your going to implement your own version of Information security by the choices you make.

    Encrypting the DB storage should really be the least of your worries and id be more focused on the front end attack vectors such as logins and admin logins, privileges users both customers and workers have and db service accounts asking the database server for data.

    A common mistake many make is having the Web Application DB credentials to your Database a Super user :eek: on the DB when really they might only require to RW and update credentials but maybe more. This can lead to potential disasters in the event of a breach and loss of data even whole databases.

    You do really need to lock down the Web Server and Database from the perspective of Sessions and Logins and who has access and what accounts are doing what including DB Service accounts.

    As Always backups (Regular) are king and can and do save the day! Id recommend VEEM, i'm not affiliated...


Advertisement